Take it from me: sitting on the sideline is no way to make it to the top. Even if ‘the top’ isn’t your destination, to experience career success in some form requires active assessment and thoughtful...

Mobile World Congress (MWC) is officially underway in beautiful Barcelona! One thing we can already tell from day one of MWC? This year, it’s all about the apps. And with that, we are excited to announce...

Last Friday, I had a great opportunity to talk to kids and parents at a local neighborhood school about how to be safe online, through the Intel Security Cyber Security for Schools Program. These events...

Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.
Lately,...

Online Safety for Kids: Go Big in Your Community

Netwire RAT Behind Recent Targeted Attacks

Quantifying The Financial Impact Of Security Incidents

How much? It’s a simple question really, and one that I know the security professional often finds very difficult to answer when trying to justify mitigating risks to business. I mean what exactly is the financial impact of a virus outbreak? Or can you calculate how much the bottom line would be affected if that laptop was left in a bar?

In November 2010, the task of quantifying the financial impact of security incidents (in the UK) got a lot simpler thanks in part to the Information Commissioners Office (ICO). The ICO have now used the powers to fine granted in April 2010 with two organizations facing hefty penalties for misdirected faxes, and the loss of an unencrypted laptop.

Such fines can reach up to half a million pounds, which I suppose some organizations may see as relatively small when compared with the recent fines imposed by the FSA. However when combined with the negative publicity, and ultimately lost business then this makes a compelling case to ensure that security budgets reflect the changing regulatory landscape.

According to McAfee’s Simon Hunt (VP and Chief Technology Officer, Endpoint Security ) “It’s often forgotten that around 30% of reported data breaches are caused accidentally by insiders – people trying to do their job, trying to solve problems, but just inadvertently making a mistake and disclosing information. The Hertfordshire County Council incident for example was just a case of a mistaken fax number, a simple mistake but tremendously embarrassing, costly, and damaging for the victim.”

“Even though the risk of unencrypted data on mobile devices like laptops has been understood for over a decade, we still find examples where very sensitive information is on unprotected devices. The A4e case was particularly damaging as it wasn’t “secret sauce”, it was very sensitive and reveling personal information. Companies need to remember that they are only the custodians of personal information – they are not the owners, we, the individuals are, and we should be demanding they take good care of it, either by keeping it under lock and key, or by using commonly available technological measures to secure it.”

Although both organizations reported the incidents to the ICO, there will be some people who will be tempted to simply not report future incidents for fear of penalties, but I would suggest that the likelihood of a member of public (who may have inadvertently received a misdirected fax for example) not raising this is slim. So a more cost effective, and operationally efficient approach will be to implement an Information Security program that reduces the risk of such incidents happening again. Ultimately I believe that the cost of managing information risk is not prohibitive, we often talk about security being a business enabler and it really can be. One of the first steps I would suggest is reading this excellent blog by my colleague Matt Fairbanks.